AutoSploit = Shodan/Censys/Zoomeye + Metasploit

I know, I know that you already have read about AutoSploit and used it probably since word got out about this auto exploitation tool some two months ago. However, between then and now, a lot has changed with the tool and this post is about that.

What is AutoSploit?

AutoSploit is an automated, mass exploitation tool coded in Python that can leverage Shodan, Censys or Zoomeye search engines to locate targets. You can choose either one or all three search engines. It also has an ability to include custom targets that you manually add. The mass exploitation tool then launches relevant Metasploit modules on the discovered targets. By default, there are about 300 pre-defined Metasploit modules that the tool comes out-of-the box with. These have been added with the purpose of code execution affecting different operating systems, web applications, IDS, etc. Of course, again as and when you want to add new modules to this list, simply editing the etc/json/default_modules.json file should be good enough. These modules include some really old exploits like MS01-023 (CVE-2001-0241) affecting Windows operating systems, etc.

Following is a list of the default Metasploit modules that comes with AutoSploit:

exploit/windows/ftp/ms09_053_ftpd_nlst

exploit/windows/firewall/blackice_pam_icq

exploit/windows/http/amlibweb_webquerydll_app

exploit/windows/http/ektron_xslt_exec_ws

exploit/windows/http/umbraco_upload_aspx

exploit/windows/iis/iis_webdav_scstoragepathfromurl

exploit/windows/iis/iis_webdav_upload_asp

exploit/windows/iis/ms01_023_printer

exploit/windows/iis/ms01_026_dbldecode

exploit/windows/iis/ms01_033_idq

exploit/windows/iis/ms02_018_htr

exploit/windows/iis/ms02_065_msadc

exploit/windows/iis/ms03_007_ntdll_webdav

exploit/windows/iis/msadc

exploit/windows/isapi/ms00_094_pbserver

exploit/windows/isapi/ms03_022_nsiislog_post

exploit/windows/isapi/ms03_051_fp30reg_chunked

exploit/windows/isapi/rsa_webagent_redirect

exploit/windows/isapi/w3who_query

exploit/windows/scada/advantech_webaccess_dashboard_file_upload

exploit/windows/ssl/ms04_011_pct

exploit/freebsd/http/watchguard_cmd_exec

exploit/linux/http/alienvault_exec

exploit/linux/http/alienvault_sqli_exec

exploit/linux/http/astium_sqli_upload

exploit/linux/http/centreon_sqli_exec

exploit/linux/http/centreon_useralias_exec

exploit/linux/http/crypttech_cryptolog_login_exec

exploit/linux/http/dolibarr_cmd_exec

exploit/linux/http/goautodial_3_rce_command_injection

exploit/linux/http/kloxo_sqli

exploit/linux/http/nagios_xi_chained_rce

exploit/linux/http/netgear_wnr2000_rce

exploit/linux/http/pandora_fms_sqli

exploit/linux/http/riverbed_netprofiler_netexpress_exe

exploit/linux/http/wd_mycloud_multiupload_upload

exploit/linux/http/zabbix_sqli

exploit/linux/misc/qnap_transcode_server

exploit/linux/mysql/mysql_yassl_getname

exploit/linux/mysql/mysql_yassl_hello

exploit/linux/postgres/postgres_payload

exploit/linux/samba/is_known_pipename

exploit/multi/browser/java_jre17_driver_manager

exploit/multi/http/atutor_sqli

exploit/multi/http/dexter_casinoloader_exec

exploit/multi/http/drupal_drupageddon

exploit/multi/http/manage_engine_dc_pmp_sqli

exploit/multi/http/manageengine_search_sqli

exploit/multi/http/movabletype_upgrade_exec

exploit/multi/http/php_volunteer_upload_exe

exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli

exploit/multi/http/splunk_mappy_exec

exploit/multi/http/testlink_upload_exec

exploit/multi/http/zpanel_information_disclosure_rce

exploit/multi/misc/legend_bot_exec

exploit/multi/mysql/mysql_udf_payload

exploit/multi/postgres/postgres_createlang

exploit/solaris/sunrpc/ypupdated_exec

exploit/unix/ftp/proftpd_133c_backdoor

exploit/unix/http/tnftp_savefile

exploit/unix/webapp/joomla_contenthistory_sqli_rce

exploit/unix/webapp/kimai_sqli

exploit/unix/webapp/openemr_sqli_privesc_upload

exploit/unix/webapp/seportal_sqli_exec

exploit/unix/webapp/vbulletin_vote_sqli_exec

exploit/unix/webapp/vicidial_manager_send_cmd_exec

exploit/windows/antivirus/symantec_endpoint_manager_rce

exploit/windows/http/apache_mod_rewrite_ldap

exploit/windows/http/ca_totaldefense_regeneratereports

exploit/windows/http/cyclope_ess_sqli

exploit/windows/http/hp_mpa_job_acct

exploit/windows/http/solarwinds_storage_manager_sql

exploit/windows/http/sonicwall_scrutinizer_sql

exploit/windows/misc/altiris_ds_sqli

exploit/windows/misc/fb_cnct_group

exploit/windows/misc/lianja_db_net

exploit/windows/misc/manageengine_eventlog_analyzer_rce

exploit/windows/mssql/lyris_listmanager_weak_pass

exploit/windows/mssql/ms02_039_slammer

exploit/windows/mssql/ms09_004_sp_replwritetovarbin

exploit/windows/mssql/ms09_004_sp_replwritetovarbin_sqli

exploit/windows/mssql/mssql_linkcrawler

exploit/windows/mssql/mssql_payload

exploit/windows/mssql/mssql_payload_sqli

exploit/windows/mysql/mysql_mof

exploit/windows/mysql/mysql_start_up

exploit/windows/mysql/mysql_yassl_hello

exploit/windows/mysql/scrutinizer_upload_exec

exploit/windows/postgres/postgres_payload

exploit/windows/scada/realwin_on_fcs_login

exploit/multi/http/rails_actionpack_inline_exec

exploit/multi/http/rails_dynamic_render_code_exec

exploit/multi/http/rails_json_yaml_code_exec

exploit/multi/http/rails_secret_deserialization

exploit/multi/http/rails_web_console_v2_code_exec

exploit/multi/http/rails_xml_yaml_code_exec

exploit/multi/http/rocket_servergraph_file_requestor_rce

exploit/multi/http/phpmoadmin_exec

exploit/multi/http/phpmyadmin_3522_backdoor

exploit/multi/http/phpmyadmin_preg_replace

exploit/multi/http/phpscheduleit_start_date

exploit/multi/http/phptax_exec

exploit/multi/http/phpwiki_ploticus_exec

exploit/multi/http/plone_popen2

exploit/multi/http/pmwiki_pagelist

exploit/multi/http/joomla_http_header_rce

exploit/multi/http/novell_servicedesk_rce

exploit/multi/http/oracle_reports_rce

exploit/multi/http/php_utility_belt_rce

exploit/multi/http/phpfilemanager_rce

exploit/multi/http/processmaker_exec

exploit/multi/http/rocket_servergraph_file_requestor_rce

exploit/multi/http/spree_search_exec

exploit/multi/http/spree_searchlogic_exec

exploit/multi/http/struts_code_exec_parameters

exploit/multi/http/vtiger_install_rce

exploit/multi/http/werkzeug_debug_rce

exploit/multi/http/zemra_panel_rce

exploit/multi/http/zpanel_information_disclosure_rce

exploit/multi/http/joomla_http_header_rce

exploit/unix/webapp/joomla_akeeba_unserialize

exploit/unix/webapp/joomla_comjce_imgmanager

exploit/unix/webapp/joomla_contenthistory_sqli_rce

exploit/unix/webapp/joomla_media_upload_exec

exploit/multi/http/builderengine_upload_exec

exploit/multi/http/caidao_php_backdoor_exec

exploit/multi/http/atutor_sqli

exploit/multi/http/ajaxplorer_checkinstall_exec

exploit/multi/http/apache_activemq_upload_jsp

exploit/unix/webapp/wp_lastpost_exec

exploit/unix/webapp/wp_mobile_detector_upload_execute

exploit/multi/http/axis2_deployer

exploit/unix/webapp/wp_foxypress_upload

exploit/linux/http/tr064_ntpserver_cmdinject

exploit/linux/misc/quest_pmmasterd_bof

exploit/multi/http/wp_ninja_forms_unauthenticated_file_upload

exploit/unix/webapp/php_xmlrpc_eval

exploit/unix/webapp/wp_admin_shell_upload

exploit/linux/http/sophos_wpa_sblistpack_exec

exploit/linux/local/sophos_wpa_clear_keys

exploit/multi/http/zpanel_information_disclosure_rce

auxiliary/admin/cisco/cisco_asa_extrabacon

auxiliary/admin/cisco/cisco_secure_acs_bypass

auxiliary/admin/cisco/vpn_3000_ftp_bypass

exploit/bsdi/softcart/mercantec_softcart

exploit/freebsd/misc/citrix_netscaler_soap_bof

exploit/freebsd/samba/trans2open

exploit/linux/ftp/proftp_sreplace

exploit/linux/http/dcos_marathon

exploit/linux/http/f5_icall_cmd

exploit/linux/http/fritzbox_echo_exec

exploit/linux/http/gitlist_exec

exploit/linux/http/goautodial_3_rce_command_injection

exploit/linux/http/ipfire_bashbug_exec

exploit/linux/http/ipfire_oinkcode_exec

exploit/linux/http/ipfire_proxy_exec

exploit/linux/http/kaltura_unserialize_rce

exploit/linux/http/lifesize_uvc_ping_rce

exploit/linux/http/nagios_xi_chained_rce

exploit/linux/http/netgear_dgn1000_setup_unauth_exec

exploit/linux/http/netgear_wnr2000_rce

exploit/linux/http/nuuo_nvrmini_auth_rce

exploit/linux/http/nuuo_nvrmini_unauth_rce

exploit/linux/http/op5_config_exec

exploit/linux/http/pandora_fms_exec

exploit/linux/http/pineapple_preconfig_cmdinject

exploit/linux/http/seagate_nas_php_exec_noauth

exploit/linux/http/symantec_messaging_gateway_exec

exploit/linux/http/trendmicro_imsva_widget_exec

exploit/linux/http/trueonline_billion_5200w_rce

exploit/linux/http/trueonline_p660hn_v1_rce

exploit/linux/http/trueonline_p660hn_v2_rce

exploit/linux/http/vcms_upload

exploit/linux/misc/lprng_format_string

exploit/linux/misc/mongod_native_helper

exploit/linux/misc/ueb9_bpserverd

exploit/linux/mysql/mysql_yassl_getname

exploit/linux/pop3/cyrus_pop3d_popsubfolders

exploit/linux/postgres/postgres_payload

exploit/linux/pptp/poptop_negative_read

exploit/linux/proxy/squid_ntlm_authenticate

exploit/linux/samba/lsa_transnames_heap

exploit/linux/samba/setinfopolicy_heap

exploit/linux/samba/trans2open

exploit/multi/elasticsearch/script_mvel_rce

exploit/multi/elasticsearch/search_groovy_script

exploit/multi/http/atutor_sqli

exploit/multi/http/axis2_deployer

exploit/multi/http/familycms_less_exe

exploit/multi/http/freenas_exec_raw

exploit/multi/http/gestioip_exec

exploit/multi/http/glassfish_deployer

exploit/multi/http/glpi_install_rce

exploit/multi/http/joomla_http_header_rce

exploit/multi/http/makoserver_cmd_exec

exploit/multi/http/novell_servicedesk_rc

exploit/multi/http/oracle_reports_rce

exploit/multi/http/php_utility_belt_rce

exploit/multi/http/phpfilemanager_rce

exploit/multi/http/phpmyadmin_3522_backdoor

exploit/multi/http/phpwiki_ploticus_exec

exploit/multi/http/processmaker_exec

exploit/multi/http/rails_actionpack_inline_exec

exploit/multi/http/rails_dynamic_render_code_exec

exploit/multi/http/rails_secret_deserialization

exploit/multi/http/rocket_servergraph_file_requestor_rce

exploit/multi/http/simple_backdoors_exec

exploit/multi/http/spree_search_exec

exploit/multi/http/spree_searchlogic_exec

exploit/multi/http/struts2_rest_xstream

exploit/multi/http/struts_code_exec

exploit/multi/http/struts_code_exec_classloader

exploit/multi/http/struts_code_exec_parameters

exploit/multi/http/struts_dev_mode

exploit/multi/http/sysaid_auth_file_upload

exploit/multi/http/tomcat_jsp_upload_bypass

exploit/multi/http/vtiger_install_rce

exploit/multi/http/werkzeug_debug_rce

exploit/multi/http/zemra_panel_rce

exploit/multi/http/zpanel_information_disclosure_rce

exploit/multi/ids/snort_dce_rpc

exploit/multi/misc/batik_svg_java

exploit/multi/misc/pbot_exec

exploit/multi/misc/veritas_netbackup_cmdexec

exploit/multi/mysql/mysql_udf_payload

exploit/multi/php/php_unserialize_zval_cookie

exploit/unix/http/freepbx_callmenum

exploit/unix/http/lifesize_room

exploit/unix/http/pfsense_clickjacking

exploit/unix/http/pfsense_group_member_exec

exploit/unix/http/tnftp_savefile

exploit/unix/misc/polycom_hdx_traceroute_exec

exploit/unix/webapp/awstats_migrate_exec

exploit/unix/webapp/carberp_backdoor_exec

exploit/unix/webapp/citrix_access_gateway_exec

exploit/unix/webapp/dogfood_spell_exec

exploit/unix/webapp/invision_pboard_unserialize_exec

exploit/unix/webapp/joomla_contenthistory_sqli_rce

exploit/unix/webapp/mybb_backdoor

exploit/unix/webapp/opensis_modname_exec

exploit/unix/webapp/oscommerce_filemanager

exploit/unix/webapp/piwik_superuser_plugin_upload

exploit/unix/webapp/tikiwiki_upload_exec

exploit/unix/webapp/webtester_exec

exploit/unix/webapp/wp_phpmailer_host_header

exploit/unix/webapp/wp_total_cache_exec

exploit/windows/antivirus/symantec_endpoint_manager_rce

exploit/windows/http/ektron_xslt_exec

exploit/windows/http/ektron_xslt_exec_ws

exploit/windows/http/geutebrueck_gcore_x64_rce_bo

exploit/windows/http/hp_autopass_license_traversal

exploit/windows/http/manage_engine_opmanager_rce

exploit/windows/http/netgear_nms_rce

exploit/windows/http/sepm_auth_bypass_rce

exploit/windows/http/trendmicro_officescan_widget_exec

exploit/windows/iis/iis_webdav_upload_asp

exploit/windows/iis/msadc

exploit/windows/misc/manageengine_eventlog_analyzer_rce

exploit/windows/novell/file_reporter_fsfui_upload

exploit/windows/scada/ge_proficy_cimplicity_gefebt

exploit/windows/smb/ipass_pipe_exec

exploit/windows/smb/smb_relay

auxiliary/sqli/oracle/jvm_os_code_10g

auxiliary/sqli/oracle/jvm_os_code_11g

auxiliary/fuzzers/dns/dns_fuzzer

auxiliary/fuzzers/ftp/client_ftp

auxiliary/fuzzers/ftp/ftp_pre_post

auxiliary/fuzzers/http/http_form_field

auxiliary/fuzzers/http/http_get_uri_long

auxiliary/fuzzers/http/http_get_uri_strings

auxiliary/fuzzers/ntp/ntp_protocol_fuzzer

auxiliary/fuzzers/smb/smb2_negotiate_corrupt

auxiliary/fuzzers/smb/smb_create_pipe

auxiliary/fuzzers/smb/smb_create_pipe_corrupt

auxiliary/fuzzers/smb/smb_negotiate_corrupt

auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt

auxiliary/fuzzers/smb/smb_tree_connect

auxiliary/fuzzers/smb/smb_tree_connect_corrupt

auxiliary/fuzzers/smtp/smtp_fuzzer

auxiliary/fuzzers/ssh/ssh_kexinit_corrupt

auxiliary/fuzzers/ssh/ssh_version_15

auxiliary/fuzzers/ssh/ssh_version_2

auxiliary/fuzzers/ssh/ssh_version_corrupt

auxiliary/fuzzers/tds/tds_login_corrupt

auxiliary/fuzzers/tds/tds_login_username

Installation of the tool is pretty simple and won’t need anything on Kali Linux, however this tool can also be Dockerized. Post installation, you are requested for your Shodan and Censys API credentials, which as stored in /AutoSploit/etc/tokens/shodan.key and /AutoSploit/etc/tokens/censys.key respectively.

All in all a good tool if you know what you are doing as you need some configuration of this tool to actually get a shell. The default module list also won’t help much as the exploits are pretty old and you may end with some low hanging fruits eventually and I do not really know the brouhaha behind the release of this tool by the people in this security industry.

Now about the newer features in the latest AutoSploit release. This release has a few bug fixes and three new features. A feature that I like in this release is the addition of an exploit reporting feature. Metasploit output is captured and saved to a report file. Additionally, a .rc script file for every module ran against a given host is also created, allowing you to reproduce whatever caused an exploit to work. Another feature in this release is the introduction of a command whitelist which contains a list of items allowed commands, blocking all others not included in this list.

Download AutoSploit:

The latest version of this mass exploitation tool was released 4 days ago – AutoSploit v2.1 (AutoSploit-2.1.zip/AutoSploit-2.1.tar.gz), which can be downloaded from here. Another way is to perform a git pull on the directory to get everything from the source repository.

Featured Post

Three days ago, an updated version – Sysdig Falco v0.15.0 – was released. It has been some time since I last blogged about this open source behavorial activity monitor which has container support. This release incorporates a lot of rule updates that are now also tagged the for MITRE ATT&CK Framework and patches CVE-2019-8339, a medium severity vulnerability.Read more about UPDATE: Sysdig Falco v0.15.0